web application monitoring - windows authentication

[Michael Hertrick]

Yes, it is possible to monitor a web server with digest authentication (it sounds like that's what you're talking about).  

You will need to write your own "plugin" to do it, but it shouldn't be hard if you have some basic knowledge of shell scripting and a little patience.  Last I checked most web-browsers do not even support digest authentication and I don't personally know of any monitoring programs that do either.

Read the RFC for all the details.  RFC2617 -- HTTP Authentication

Here's a summary:

Client sends a GET for a particular document, /dir/index.html
The server responds with (the challenge):

        HTTP/1.1 401 Unauthorized
         WWW-Authenticate: Digest
                 realm="testrealm at host.com",
                 qop="auth,auth-int",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"

The client then replies with this (the response):
Authorization: Digest username="Mufasa",
                 realm="testrealm at host.com",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 uri="/dir/index.html",
                 qop=auth,
                 nc=00000001,
                 cnonce="0a4f113b",
                 response="6629fae49393a05397450978507c4ef1",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"

Notice the "nonce" and "opaque" are taken from the server's challenge... you don't need to compute those.  You must calculate and provide a cnonce value (see RFC) and response (your md5 password hash).

You can use 'md5' to compute the password hash.  For example:
# echo "mypassword" | md5
d84c7934a7a786d26da3d34d5f7c6c86

Looks pretty simple to me...... famous last words, I know. ;-)

I do not have a script that does it, or I'd just give it to you.  I would like to see something like this available as a plugin, so let me know if you need any help with it.  The right way to do it would be to add the functionality to check_http, but I don't know C that well, so I just use existing programs and shell scripts to do custom stuff like this.

~Mike.
  ----- Original Message ----- 
  From: sakrafd 
  To: nagios-users at lists.sourceforge.net 
  Sent: Friday, April 18, 2003 5:45 AM
  Subject: [Nagios-users] web application monitoring - windows authentication


  Hi,

  I am trying to set up nagios to monitor a web application that is located in a different windows domain on an intranet. The IIS5 server the application runs on does not allow anonymous or basic authentication access - all users have do have specific ACL's to view the site (a windows challenge/response prompt pops up in IE when first attempting to hit the app). Is it possible to monitor this type of application with nagios? If so, how? If not, does anyone know of a free monitoring tool that will?

  Thanks in advance,

  Dave





------------------------------------------------------------------------------
  Do you Yahoo!?
  The New Yahoo! Search - Faster. Easier. Bingo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20030418/49d4b6c9/attachment.html>